Information published on 8 November 2016 in the UIC electronic newsletter "UIC eNews"
Nr 522.

UIC-IMdR Day held on 20 October 2016 in Paris

Rail System

Reporting

Jean-Pierre LOUBINOUX, UIC Director General, opened the UIC-IMdr conference by warmly welcoming an institute specialising in risk management outside the railways. He said:

It was interesting for UIC to compare our philosophies and best practices and for us to open up to a rapidly changing world in which the new digital deal presents as many opportunities as potential risks.

The UIC-IMdR Day held on 20 October 2016 in Paris focused on: Safety of Interconnected Industrial Systems: From a rail perspective.

This event, organised by IMdR (Institute for Risk Management Working) and Focus Group (WFG) n°64 consisted of concrete examples which have been put into practice by UIC and SNCF and will help to provide a better picture and to initiate discussions.

Organisation: Denis Lebey and Sophie Agulhon addressed the subject of cybersecurity of industrial systems. This increasingly important topic has led Governments to introduce new regulations, to be applied to critical systems in the first instance. Such systems already have to meet stringent requirements on operating security, which they do through the implementation of special development and insurance processes leading to certification. These processes are based on a set of rigorous, documented methods and techniques. The challenge is therefore to integrate cybersecurity into these security processes.

Marc Antoni, Abdallah Mhamed and Jean-Paul Gibson presented formal safety and security methods: Experience shows that current development methods are unable to guarantee the safety and security of products and systems. An appropriate architectural approach and formal method will be proposed for implementing a principle of formal validation of functions covering security aspects.

Nadia Ammad, Emile Geahchan and Patrice Martin led the Networks and Telecommunications workshop. This workshop provided an opportunity to look at how network designers can respond to the performance and security expectations of signalling systems (critical and real-time). It also examined “defence systems” and “continuity plans”, recommended by the major standardisation and security organisations.

Nadia Ammad and Marc Antoni then talked on the subject of functional protection: It has to be admitted that purely technical measures are not always sufficient to ensure the security of our industrial systems. The speakers looked at whether it is possible to reduce exposure to attack by utilising national specialist knowledge that potential aggressors generally do not have. This means contemplating that the enemy is already “inside the network” and that our critical modules should be able to discriminate between correctly formatted messages from within the network (generalised masquerade attacks).

Session “Safety - Changing contexts”: The challenge of open systems and issues of mobility and big data," Nadia AMMAD and Marc ANTONI
In the wake of the introduction of computer-based signalling installations, followed by the arrival of new information transmission systems, the railway system is once more faced with new advances in technology. The need for mobility, questions of digitisation, big data and the internet of connected things, all offer promising prospects for development and performance. But once again, there is the question of new risks.

While the internet offers definite benefits and resources that we now consider essential, the cyberspace it has created is also a place where danger lurks. Threats and attacks are not only virtual – there are the risks that certain industrial installations present for the population, even those that are not, or are not thought to be, connected to the internet. There are multiple opportunities for attack and the forms that these attacks may take via the internet must be anticipated. It is essential for counter-measures to be put in place at strategic points.

If they are not secure by design, the intelligent connected objects that now make up our shared environment and that of our industrial installations are open to a “SCADAstrophe” from which humanity will struggle to recover. Giving connected objects the intelligence to better monitor industrial systems through the ability to react quickly, more quickly than a human being could, will set us on the path to greater security. But we should not forget that malicious actions are still possible and so it is vital that these connected objects are developed around the concept of “safety by design”.

Now is the time to act, to raise awareness among users and to invest in safety and security, so that our interconnected world remains a space for growth and progress.

Emile Geahchan, CNAM IDF, discussed Cybercriminality in industry and social engineering, analysing the types of attacks on industrial sites, which are not fundamentally different from those on information systems in general. The difference lies in the consequences - physical disasters, paralysis of essential resources and even fatalities.

Nadia Ammad and Emile Geahchan presented some shared working solutions for Safety and Security. Though usually treated in parallel (standards, design, appraisal, etc.), a new approach is now needed to bring together the safety and security of critical industrial systems. Similar approaches have been taken in the past to implementing safety and security but employing different technical solutions. Can a combined path now be found in terms of risk management? The speakers offered to share their approach and looked at whether, faced with the challenge of open systems, and issues raised by mobility and big data, operating security has been living up to its promises.